Angry Over U.S. Surveillance, Tech Giants Bolster Defenses

A Google data center in Council Bluffs, Iowa. This summer, the company sped up a project to encrypt internal systems.Credit
Google, via Associated Press

SAN FRANCISCO — Google has spent months and millions of dollars encrypting email, search queries and other information flowing among its data centers worldwide. Facebook’s chief executive said at a conference this fall that the government “blew it.” And though it has not been announced publicly, Twitter plans to set up new types of encryption to protect messages from snoops.

It is all reaction to reports of how far the government has gone in spying on Internet users, sneaking around tech companies to tap into their systems without their knowledge or cooperation.

What began as a public relations predicament for America’s technology companies has evolved into a moral and business crisis that threatens the foundation of their businesses, which rests on consumers and companies trusting them with their digital lives.

So they are pushing back in various ways — from cosmetic tactics like publishing the numbers of government requests they receive to political ones including tense conversations with officials behind closed doors. And companies are building technical fortresses intended to make the private information in which they trade inaccessible to the government and other suspected spies.

Yet even as they take measures against government collection of personal information, their business models rely on collecting that same data, largely to sell personalized ads. So no matter the steps they take, as long as they remain ad companies, they will be gathering a trove of information that will prove tempting to law enforcement and spies.

When reports of surveillance by the National Security Agency surfaced in June, the companies were frustrated at the exposure of their cooperation with the government in complying with lawful requests for the data of foreign users, and they scrambled to explain to customers that they had no choice but to obey the requests.

But as details of the scope of spying emerge, frustration has turned to outrage, and cooperation has turned to war.

The industry has learned that it knew of only a fraction of the spying, and it is grappling with the risks of being viewed as an enabler of surveillance of foreigners and American citizens.

Lawmakers in Brazil, for instance, are considering legislation requiring online services to store the data of local users in the country. European lawmakers last week proposed a measure to require American Internet companies to receive permission from European officials before complying with lawful government requests for data.

“The companies, some more than others, are taking steps to make sure that surveillance without their consent is difficult,” said Christopher Soghoian, a senior analyst at the American Civil Liberties Union. “But what they can’t do is design services that truly keep the government out because of their ad-supported business model, and they’re not willing to give up that business model.”

Even before June, Google executives worried about infiltration of their networks. The Washington Post reported on Wednesday that the N.S.A. was tapping into the links between data centers, the beating heart of tech companies housing user information, confirming that their suspicions were not just paranoia.

In response, David Drummond, Google’s chief legal officer, issued a statement that went further than any tech company had publicly gone in condemning government spying. “We have long been concerned about the possibility of this kind of snooping,” he said. “We are outraged at the lengths to which the government seems to have gone.”

A tech industry executive who spoke only on the condition of anonymity because of the sensitivities around the surveillance, said, “Just based on the revelations yesterday, it’s outright theft,” adding, “These are discussions the tech companies are not even aware of, and we find out from a newspaper.”

Though tech companies encrypt much of the data that travels between their servers and users’ computers, they do not generally encrypt their internal data because they believe it is safe and because encryption is expensive and time-consuming and slows down a network.

But Google decided those risks were worth it. And this summer, as it grew more suspicious, it sped up a project to encrypt internal systems. Google is also building many of its own fiber-optic lines through which the data flows; if it controls them, they are harder for outsiders to tap.

Tech companies’ security teams often feel as if they are playing a game of Whac-a-Mole with intruders like the government, trying to stay one step ahead.

Google, for instance, changes its security keys, which unlock encrypted digital data so it is readable, every few weeks. Google, Facebook and Yahoo have said they are increasing the length of these keys to make them more difficult to crack.

Facebook also said it was adding the encryption method of so-called perfect forward secrecy, which Google did in 2011. This means that even if someone gets access to a secret key, that person cannot decrypt past messages and traffic.

“A lot of the things everybody knew they should do but just weren’t getting around to are now a much higher priority,” said Paul Kocher, president and chief scientist of Cryptography Research, which makes security technologies.

Facebook said in July that it had turned on secure browsing by default, and Yahoo said last month that it would do the same for Yahoo Mail early next year. And Twitter is developing a variety of new security measures, including encrypting private direct messages, according to a person briefed on the measures.

Many tech companies have made public information about the number of government requests for user data they receive, and sued to ask for permission to publish more of this data. On Thursday, Google, Microsoft, Facebook, Yahoo, Apple and AOL reiterated these points in a letter to members of Congress.

But publishing the numbers of requests the companies receive has less meaning now that reports show the government sees company data without submitting a legal request.

A sense of betrayal runs through the increasingly frequent conversations between tech company lawyers and lawmakers and law enforcement in Washington, and in private conversations among engineers at the companies and increasingly outspoken public statements by executives.

Mr. Drummond and Larry Page, Google’s co-founder and chief executive, have said privately that they thought the government betrayed them when the N.S.A. leaks began, by failing to explain the tech companies’ role to the public or the extent of its spying to the tech companies, according to three people briefed on these conversations. When President Obama invited tech chief executives to discuss surveillance in August, Mr. Page did not go and sent a lower-level employee instead.

“The government blew it,” he said. “The government’s comment was, ‘Oh, don’t worry, basically we’re not spying on any Americans.’ Right, and it’s like, ‘Oh, wonderful, yeah, it’s like that’s really helpful to companies that are really trying to serve people around the world and really going to inspire confidence in American Internet companies.’ ”

Correction: November 4, 2013

A picture caption on Friday with the continuation of an article about technology companies’ bolstering defenses of their data against government surveillance, using information from The Associated Press, misidentified the location of the Google data center shown. It is in Council Bluffs, Iowa — not in Helsinki, Finland.

A version of this article appears in print on November 1, 2013, on page A1 of the New York edition with the headline: Angry Over U.S. Surveillance, Tech Giants Bolster Defenses. Order Reprints|Today's Paper|Subscribe